CVE-2025-52897
BaseFortify
Publication date: 2025-07-30
Last updated on: 2025-08-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi-project | glpi | From 9.1.0 (inc) to 10.0.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GLPI versions 9.1.0 through 10.0.18 allows an unauthenticated user to send a malicious link via the planning feature to attempt a phishing attack. It means attackers can exploit this feature without logging in to trick users into clicking harmful links.
How can this vulnerability impact me? :
The vulnerability can lead to phishing attacks where users might be tricked into clicking malicious links, potentially compromising their security or sensitive information. Since it requires no authentication, it increases the risk of unauthorized exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade GLPI to version 10.0.19 or later, where the issue has been fixed.